Statement 1

The PixelPin solution is simple and quick to use, yet very secure.
PixelPin eliminates the traditional alphanumeric password by using a
picture based approach. The user chooses an image that’s personal to
them (e.g. a photograph of their family or a memorable holiday photo).
They then choose 4 points (Passpoints) in sequence on the image. The
PixelPin process eliminates the risk of phishing, dictionary attacks
and brute force hacking. There’s also a growing body of academic
research suggesting that people remember Passpoints on a personal
image more easily given the emotional connection evoked during the
process.

Statement 2

However, Cleopatra, a certificate manager for OpenPGP and X.509 (S/MIME) and common crypto dialogs, says that

Photos give a false sense of security.

Statement 1 seems to contradict Statement 2.

Question: what is this noise about picture-based authentication. Is it secure to use or not?

3 Answers
3

The two statements speak of completely different things. They don't contradict each other. That does not make them both true, though.

PixelPin: this product apparently replaces the password by the selection of four positions on a picture. This means that you choose a picture, and your "password" is the sequence of coordinates for four points you choose on the picture.

Since users cannot be relied upon to always click on the exact same pixel, especially since they claim support for touch screens, one must assume that the pixel selection is kind of fuzzy. If we suppose a full-screen picture on a smartphone, we can hope for, say, 200 possible selection points in the picture (it is as if the click from the user fell on a 20x10 grid). The implementation must do something smart to avoid threshold effects (when the user chooses a selection point which is close to the boundary between two grid elements).

Four selection points then means 2004 possible "passwords", i.e. an entropy of a bit more than 30 bits. While this is not bad, as far as passwords go, this is not exactly the most robust password ever. An important point to make is that human users are unlikely to choose "really random" points on the picture. As the example on the page shows, human users will click on the cat's nose, not on a random place in the back wall, if only to be able to click again on it at the next login attempt. I seriously doubt that in real conditions, human users would achieve enough randomness in their selection to defeat brute force attacks.

The PixelPin company claims that using a user-chosen picture makes it easier for users to remember their points; that I am ready to believe. They talk about the Picture Superiority Effect, a pompous name for the fact that humans are apes and apes are very visual animal -- primates have had good vision for about 50 millions of years, while writing is human-only and no older than about 6000 years. It is no surprise that human memory groks pictures efficiently. Our ancestors were highly trained to remember how a lion looks like (let's say that the career of those who could not remember that was, on average, shorter).

Overall, I find the claims of PixelPin a bit bold, quite possibly outrageous. The idea is interesting, though.

The picture in certificates is something else. A certificate is about binding an identity with a public key. A picture could be thought as part of the identity.

The people at Kleopatra states that they don't want to support pictures for several reasons, among which the idea that photos give a "false sense of security". What they mean is that a photo is a reasonable part of the identity of a person only insofar as the issuing CA checked that the photo was really that of the target person. This seems dubious, unless the issuing CA took the photo itself. Right now, with certificates as they are used today, photos in certificate are merely advertising; they are pictures of what the certificate holder would like to look like, and not pictures of the key owner as he really is.

Briefly said, pictures in certificates tend to give users warm fuzzy feelings about some assumed enhanced security (by analogy with ID tags and passports, mostly), but these feelings are largely unsubstantiated. Kleopatra developers feel it their duty to protect users against such things, hence the absence of support. (Or possibly they were just lazy and did not want to implement the support for pictures.)

This is completely different from what pictures are used in PixelPin. PixelPin is about pictures as support for human memory. Kleopatra is talking about pictures as part of the physical identity.

+1 I've seen a study that used a hot-spot map to demonstrate how many users would choose the same spots, often focal points of the picture. These patterns are easily exploitable. The fuzziness, which is necessariy for usability, also makes brute-force attacks easier.
–
DaniMar 12 '13 at 17:20

I believe that the order in which the points are selected is also a factor of the authentication, so there are 4! possible combinations for any 4 points in the picture. (Perhaps this wasn't the case when the post was originally written.)
–
icioMar 6 at 10:51

The "200^4" computation already includes the order. If points were unordered, the number of possible combinations would be 200*199*198*197/24, i.e. about, indeed, 4! times lower.
–
Thomas PorninMar 6 at 11:43

Cleopatra is saying an embedded photo in a certificate does not prove the certificate came from the person pictured. This is a whole different use of a picture for authentication purposes.

As to the security of PixelPin, without knowing more about the implementation, one can't tell. The problem I think is going to be the same as with using a fingerprint meaning the service must store all the needed information for a replay attack in plain text. However I could be wrong about this, without more information there is just no way to tell.

Yeah. The biggest problem is that the data is "fuzzy": it has to capture you clicking on the image in a range of areas, but this data would be very difficult to supply into a one-way hash. Also it's impossible to use with something like a password manager: for one site, this might work. For a hundred sites, many of which you use infrequently? A goddamned nightmare.
–
Stephen TousetMar 11 '13 at 18:49

@StephenTouset which is the same issue with biometric data.
–
ewanm89Mar 11 '13 at 18:51

It seems like their approach would be very vulnerable to shoulder surfing.

I think it will be harder to remember lots of different combinations
of "pixel pin points" than it is to remember lots of different passwords,
so users will use the same pictures and points over and over, which would
have the same vulnerability as users using the same passwords everywhere.

There's also the obvious problem of "easy passwords" such as four points
in a row, and systemic weaknesses such as bias toward left-right and top-down
order of points.

It isn't stated in their video, but if the identity of the picture is
part of the password, and the picture exists only locally, that would
be really strong security - but access from unusual locations would be
impossible.